IS Decisions logo

IS Decisions Blog

How to reduce the risk of insider threat in healthcare

Hackers gaining access to confidential patient data poses a big risk for healthcare organizations. Here's how to reduce the risk of an insider threat in healthcare.

Updated Dec 31, 2015
Healthcare insider threat reduce risk

Who will be next to fall victim to a hacking scandal? Who knows. At healthcare organizations, arguably the worst part of a data breach is the personal health information. Thousands upon thousands of intensely sensitive medical records, for sale on the black market.

Controlling access to confidential patient data

Among many high-profile healthcare breaches, there's the security breach at U.S. health insurance company Anthem, which still stands as a hallmark attack years later. In this cyber attack, stolen user credentials are thought to have been used to gain network access and steal sensitive data.

Stolen data within the healthcare industry could not only damage an organization’s reputation and result in many potential lawsuits, there are obvious implications for the rights of patients and customers, not to mention significant repercussions in terms of government regulations.

In the U.S., the HIPAA Privacy Rule sets the national standard for the security of the electronic protected health information (e-PHI). As nearly all information is now digital, this trend to see internally-sourced security breaches is only going to grow. HIPAA's technical safeguards seek to mitigate that risk by requiring technical, administrative, and physical safeguards, the foundation of HIPAA compliance.

All too often, as in the Anthem breach, the attacker is no clever tech-whizz hacker getting a hold of the information. In fact, many times attacks start when unauthorized users acquire and misuse employee credentials to gain access to secured systems.

Healthcare organizations have a moral duty to protect patient information

With such a high number of serious breaches happening, are IT departments within these organisations doing something about it? With any healthcare organisation’s moral duty to protect patient data, you would expect healthcare to be better at tackling insider threat, but unfortunately that does not seem to be the case. The fact is that the majority of security breaches come from internal sources, and the healthcare industry is worst than most with double the number of internal security breaches than the average of other industries (according to IS Decisions’ research of 500 IT decision makers).

Not only is the data within the healthcare industry highly confidential, the stakes are arguably higher than in any other sector due to the sheer volume of data many organisations possess, and the nature of that information. The consequences of a hack at a healthcare organisation will undoubtedly involve innocent victims and nasty lawsuits, just as we’re already seeing from the Anthem breach. With millions of patient information stored, this could cripple a healthcare organisation.

Especially considering the strains being put on the healthcare sector currently, particularly within the NHS, the financial implications of this risk cannot be ignored. You would expect finance directors and board members at any healthcare organisation to be sitting up straight and paying attention.

How to mitigate the risk of an insider threat in healthcare

So, what's the best way to mitigate insider threat risks in healthcare?

Follow zero-trust principles and focus on access security

First, make sure you control and monitor all login rights are according to the business requirements and role of the user. Get a tattoo of the phrase "never trust, always verify" and live by it. Yes, it sounds harsh. But research shows that IT managers see a zero trust security framework as their best option. This is especially true when the employee is often their greatest security threat.

Implement contextual and role-based access controls

When you control login rights with role-based access controls (RBAC) or contextual access controls, you can stop unauthorized access without limiting the user. The employee has the flexibility to work as normal, but they only have access to what's necessary for them to do their job.

And remember, this is not just about protection from malicious employees. Careless user behavior is a common source of security breaches. Users are human beings (good thing you came here to learn that, right?). They are flawed, they make mistakes, and there will always be instances of users acting outside the boundaries of policy (and sometimes common sense). That’s why stronger enforcement of access policy is so vital.

Depoy multi-factor authentication (MFA)

These strong contextual access policies also complement multi-factor authentication (MFA), the gold standard to make sure the person requesting access is indeed the right person. While there's no formal HIPAA MFA requirement, it's the only way to truly verify identity. Together, your contextual policies can limit the need for excessive MFA, making sure your employees don't get MFA fatigue and security stays strong.

Promote cyber awareness training

It’s also important that we consider employee education as another level of defense within an organisation. Regular cyber awareness training is key. Explain to employees why their behaviors are so important to reduce the risk of security breaches. If they understand, they are far more likely to think twice before sharing their password, and less likely to fall victim to social engineering.

Address the insider threat for better security, and easier compliance with the HIPAA Security Rule

Naturally, no single security policy is perfect, so the more layers you can add, the better. Your goal is to shrink your attack surface as small as it can get. If you do this, you give yourself a better chance of catching a breach before any real damage is done (not to mention maintaining HIPAA compliance).

Remember the golden triangle. A good balance between user education and technology is likely to have the best results.

Preferably, your access security solutions will strengthen Windows logon security to prevent unauthorized access to networks, while deploying user alerts triggered by suspicious behavior.

Tools such as UserLock and FileAudit give admins greater flexibility and control, and can block a lot of careless user behaviors, as well as helping educate and encourage accountability for behavior through alerts and notifications.

Healthcare organizations must safeguard patient and client personal information, and it’s important to understand that the insider threat will never disappear. Make sure your IT team deploys the strongest strategy possible to mitigate that risk.

A version of this article originally appeared in Hospital Management, April 2015: A bi-monthly publication for both private and NHS hospitals throughout the U.K.